- Community Home
- >
- Networking
- >
- IMC
- >
- Re: iMC UAM MS AD authentication issue
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2013 05:29 AM
тАО02-19-2013 05:29 AM
iMC UAM MS AD authentication issue
Hello
For several weeks i've been fighting with this problem.
I need to set up UAM authentication with Microsoft AD. Client PC is part of lab domain and thus uses domain certificate without iNode client (the way our customer would like it to be). That means EAP-PEAP with MSCHAPv2
In my lab i have one ProCurve 2824 switch and several virtual servers - one of which runs iMC with UAM, another has AD DC and third is certificate server. I have set up whole structure, imported certificates into iMC etc.
iMC and UAM version is the latest:
Intelligent Management Platform (JF378A) iMC PLAT 5.1 SP1 (E0202P05)
User Access Manager (JF388A) iMC UAM 5.1 SP1 (E0301H04)
Unfortunately client authentication fails, in switch traffic capture i see UAM asking switch for MD5 authentication which is immideately refected by windows who wants MSCHAPv2.
in the mschapv2server log file i see the following:
[Feb 19, 2013 11:43:16 AM][Debug]: MSChapAuthServer():addInistialRequestMessage(): dc name is uam.imc.lab
[Feb 19, 2013 11:43:16 AM][Trace]: MSChapAuthServer():addInistialRequestMessage(): tunnel active packet: 00000000h: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 04 ;................
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000020h: 01 06 74 65 73 74 02 0D 75 61 6D 2E 69 6D 63 2E ;..test..uam.imc.
00000030h: 6C 61 62 03 0A 68 E1 09 F0 F4 0C A7 2A 04 1A 9C ;lab..h......*...
00000040h: 58 28 CE 59 9D 67 80 3B D1 9E 9C 0D 1E 72 6F 26 ;X(.Y.g.;.....ro&
00000050h: 1D 0F 79 01 B1 E1 4D ;..y...M
[Feb 19, 2013 11:43:16 AM][Debug]: Trigger one authentication request as parameters refreshed.
[2013-02-19 11:43:16.494] [Debug] [HashMapForCache::cleanMap]Find expired object...
[2013-02-19 11:43:16.547] [Debug] [MSChapAuth::MSChapAuth]NETLOGON(LVLABIMC2.UAM.IMC.LAB/TESTACCOUNT)
[2013-02-19 11:43:16.564] [Debug] [MSChapAuth::connect]NETLOGON: Connecting DCERPC handle to ncacn_np:10.32.12.29[\PIPE\NETLOGON] with identity uam.imc.lab\testAccount$
[2013-02-19 11:43:16.967] [Info] [MSChapAuth::connect]NETLOGON: Bind successful.
[2013-02-19 11:43:16.990] [Debug] [MSChapAuth::connect]NETLOGON: Session authenticated
[2013-02-19 11:43:16.991] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: Retrieving list of domains
[2013-02-19 11:43:17.0] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: List of domains retrieved successfully: {UAM.IMC.LAB={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, ~={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, UAM={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}}
[2013-02-19 11:43:17.19] [Debug] [MSChapAuth::connect]NETLOGON: Secure Channel encryption installed
[Feb 19, 2013 11:43:17 AM][Trace]: The authentication error msg: The account is not found: uam.imc.lab\test, and error code: 4
[2013-02-19 11:43:17.388] [Error] [MSChapAuthProvider::authenticate]MSChap authentication unknown exception. <mscv2js.c.d: The account is not found: uam.imc.lab\test>
mscv2js.c.d: The account is not found: uam.imc.lab\test
at mscv2js.b.a.a(Unknown Source)
at mscv2js.b.b.b(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)
[Feb 19, 2013 11:43:17 AM][Trace]: The mschapv2 authentication user msg:The account is not existed on DC.
<java.net.BindException: Cannot assign requested address: Datagram send failed>
java.net.BindException: Cannot assign requested address: Datagram send failed
at java.net.PlainDatagramSocketImpl.send(Native Method)
at java.net.DatagramSocket.send(DatagramSocket.java:625)
at mscv2js.server.g.a(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)
I have done all installation and configuration according to manuals. EAP-PEAP assisted DC authentication is set up. In the log one can see that UAM asks DC for virtual computer (which i left default), which passes. Then, out from nowhere comes this "test" account which is no way present in iMC. I suspect this is the reason why authentication fails and UAM reverts to MD5.
I created "test" user on DC, but since i have no idea what password should be it still fails.
Can anyone please point me what i am doing wrong?
Thanks in advance!
Marcis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2013 12:39 PM
тАО02-19-2013 12:39 PM
Re: iMC UAM MS AD authentication issue
Hi,
Can you provide some more info on the client supplicant configuration ?
Which client os are you using, if windows, did you configure user or computer auth ?
Can you check the client pc computername, does it happen to be test ?
It could be possible that the computer accounts have not be synced between uam and AD (ldap), so when the client pc authenticates with the pc account, it will fail, so uam possibly proposes an alternate auth method (md5), since the peap failed.
So make sure the sync the computers container/ou as well as the users container/ou in the ldap sync policies,
Best regards,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2013 03:19 PM
тАО02-19-2013 03:19 PM
Re: iMC UAM MS AD authentication issue
This doesn't directly fix your problem, but HP released IMC 5.2 today. BYOD is a focus for them right now, so you might like to try out the latest code, see if your problem is still there.
My guess is that support is just going to tell you to upgrade anyway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2013 05:33 AM
тАО02-21-2013 05:33 AM
Re: iMC UAM MS AD authentication issue
Hello Peter
Thanks for the response! :)
I attached my ProCurve 2824 switch config.
Port 1 is for uplink, ports 2 and 3 are where client authentication goes on.
10.32.12.26 is an address of iMC server
10.32.12.27 is switch's IP
i also verified that when i reconfigure RADIUS on switch to talk directly to MS AD DC, it works like charm. Of course i have configured NAP on MS DC.
I use Windows 7 PC with windows native buil-in 801.x authenticator. I would prefer to avoid using iNode because this is what our customer wants. On windows i left it at default which is both user and computer authentication.
Client PC computername is "SMNdemo". Only thing close to "test" is testlab domain user "imctest" which i use for logging in.
I tried to sync computers OU but it does not work, sync fails because computer accounts are represented by their name with "$" added. And since iMC does not accepts $ sign sync fails totally.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2013 05:34 AM
тАО02-21-2013 05:34 AM
Re: iMC UAM MS AD authentication issue
I tried 5.2 but it did not solve the issue. I suspect i am doing something wrong but i ran out of ideas what exactly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-12-2014 09:45 PM
тАО06-12-2014 09:45 PM
Re: iMC UAM MS AD authentication issue
Resurrecting an old thread here. Probably going to open a support ticket, but I'm dealing with the same issue in 7.0 E0202. Device authentication works fine through AD, but I can't get 802.1x to work from MSM APs (MSM controller). I did find that the EAP type is dictated by the 'default access policy' configured on the access service assigned to the authenticating user. If certificate authentication isn't defined in the default policy, IMC seems to default to EAP-MD5 as a challenge type (doesn't seem to make too much sense, but it isn't the issue at hand). At this point, it would have been so much easier to do this in NPS (wtb NAS Id condition), but the customer wants UAM.
The authentication failure cause is listed as: E63121::receive no packet from mschapv2server.
The request isn't even showing up in the mschapv2 log. Netstat shows that mschapv2server is running on the port assigned in domain assisted PEAP authentication.
I do see the same recurring message in the log about a failure to authenticate with a "domani\test" account--I'm not testing from this. As the other posters pointed out, no idea what the "test" account is used for or what credentials it is trying to use. I've tried making a "test" account in AD (reflected below). Also not sure why IMC would want to change the password for the test account (LDAP error -1073741718). Not sure where to go from here... hopefully I'm just mising something
Details from the mschapv2 log:
[Jun 12, 2014 10:19:14 PM][Debug]: MSChapAuthServer():addInistialRequestMessage(): dc name is domain.local
[2014-06-12 22:19:14.758] [Debug] [MSChapAuth::MSChapAuth]NETLOGON(NPSDC1.domain.local/IMC-VCOMP)
[2014-06-12 22:19:14.761] [Debug] [MSChapAuth::connect]NETLOGON: Connecting DCERPC handle to ncacn_np:10.3.1.10[\PIPE\NETLOGON] with identity domain.local\imc-vcomp$
[2014-06-12 22:19:14.809] [Info] [MSChapAuth::connect]NETLOGON: Bind successful.
[2014-06-12 22:19:14.812] [Debug] [MSChapAuth::connect]NETLOGON: Session authenticated
[2014-06-12 22:19:14.813] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: Retrieving list of domains
[2014-06-12 22:19:14.818] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: List of domains retrieved successfully: {NPS={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}, domain.local={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}, ~={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}}
[2014-06-12 22:19:14.821] [Debug] [MSChapAuth::connect]NETLOGON: Secure Channel encryption installed
[2014-06-12 22:19:14.830] [Debug] [MSChapAuth::mschapv2Validate]ldap fetch error code is -1073741718
[2014-06-12 22:19:14.830] [Error] [MSChapAuthProvider::authenticate]MSChap authentication unknown exception. <mscv2js.c.d: The supplied credentials are invalid: domain.local\test>
mscv2js.c.d: The supplied credentials are invalid: domain.local\test
at mscv2js.b.a.a(Unknown Source)
at mscv2js.b.b.b(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.i.run(Unknown Source)
at java.lang.Thread.run(Thread.java:724)
<java.net.BindException: Cannot assign requested address: Datagram send failed>
java.net.BindException: Cannot assign requested address: Datagram send failed
at java.net.DualStackPlainDatagramSocketImpl.socketSend(Native Method)
at java.net.DualStackPlainDatagramSocketImpl.send(DualStackPlainDatagramSocketImpl.java:133)
at java.net.DatagramSocket.send(DatagramSocket.java:676)
at mscv2js.server.h.a(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.i.run(Unknown Source)
at java.lang.Thread.run(Thread.java:724)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2014 06:39 AM
тАО06-15-2014 06:39 AM
Re: iMC UAM MS AD authentication issue
Hi,
What type of EAP auth are you trying to configure ?
AFAIK, EAP PEAP MSCHAPv2 is not possible for computer authentication, only EAP-TLS (client cert based) is possible.
Since you mention the mschapv2server process, I have the impression you are trying to setup EAP PEAP MSCHAPv2, which does not work (yet, I heard this might be included in the future).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2014 05:45 PM
тАО06-15-2014 05:45 PM
Re: iMC UAM MS AD authentication issue
Peter, thanks for the response.
Yes, I'm trying to do PEAP MS-CHAPv2, but only for user authentication. Is this not supported by IMC? If not, what options are available for 802.1x user authentication?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-16-2014 02:18 AM
тАО06-16-2014 02:18 AM
Re: iMC UAM MS AD authentication issue
Hi,
* eap peap mschapv2 is supported for user auth.
* did you set the Domain controller OS version to "2003 or earlier" ? I know this does not sound intuitive, but the parameter does not link directly to the OS version or domain/forest level, but to some kerberos/mschap auth level type. Most people do not have this enabled on the domain, so the original auth type should be used (described as 2003 or earlier in this parameter).
hth,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-16-2014 01:16 PM
тАО06-16-2014 01:16 PM
Re: iMC UAM MS AD authentication issue
I do have it set at 2003 to match the domain functional level. I opened a case, so we'll see where this goes. I'll provide an update once progress is made
Thanks